buran | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Analysis

max time kernel
73s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
31-08-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 7FF-128-90D Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
772	explorer.exe
1600	explorer.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupAdd.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeSearch.tiff	explorer.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1116	notepad.exe

Loads dropped DLL 1 IoCs

Processes:

pattern.exe

pid	Process
1672	pattern.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG	explorer.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx	explorer.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF.kd8eby0.7FF-128-90D	explorer.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.kd8eby0.7FF-128-90D	explorer.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.HXS.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTS.ICO	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.ICO	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPS.ICO.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti	explorer.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROG98.POC	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195428.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3.kd8eby0.7FF-128-90D	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.kd8eby0.7FF-128-90D	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1532	vssadmin.exe
828	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1672	pattern.exe
Token: SeDebugPrivilege	1672	pattern.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	596	WMIC.exe
Token: SeSecurityPrivilege	596	WMIC.exe
Token: SeTakeOwnershipPrivilege	596	WMIC.exe
Token: SeLoadDriverPrivilege	596	WMIC.exe
Token: SeSystemProfilePrivilege	596	WMIC.exe
Token: SeSystemtimePrivilege	596	WMIC.exe
Token: SeProfSingleProcessPrivilege	596	WMIC.exe
Token: SeIncBasePriorityPrivilege	596	WMIC.exe
Token: SeCreatePagefilePrivilege	596	WMIC.exe
Token: SeBackupPrivilege	596	WMIC.exe
Token: SeRestorePrivilege	596	WMIC.exe
Token: SeShutdownPrivilege	596	WMIC.exe
Token: SeDebugPrivilege	596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	596	WMIC.exe
Token: SeRemoteShutdownPrivilege	596	WMIC.exe
Token: SeUndockPrivilege	596	WMIC.exe
Token: SeManageVolumePrivilege	596	WMIC.exe
Token: 33	596	WMIC.exe
Token: 34	596	WMIC.exe
Token: 35	596	WMIC.exe
Token: SeBackupPrivilege	1852	vssvc.exe
Token: SeRestorePrivilege	1852	vssvc.exe
Token: SeAuditPrivilege	1852	vssvc.exe
Token: SeIncreaseQuotaPrivilege	596	WMIC.exe
Token: SeSecurityPrivilege	596	WMIC.exe
Token: SeTakeOwnershipPrivilege	596	WMIC.exe
Token: SeLoadDriverPrivilege	596	WMIC.exe
Token: SeSystemProfilePrivilege	596	WMIC.exe
Token: SeSystemtimePrivilege	596	WMIC.exe
Token: SeProfSingleProcessPrivilege	596	WMIC.exe
Token: SeIncBasePriorityPrivilege	596	WMIC.exe
Token: SeCreatePagefilePrivilege	596	WMIC.exe
Token: SeBackupPrivilege	596	WMIC.exe
Token: SeRestorePrivilege	596	WMIC.exe
Token: SeShutdownPrivilege	596	WMIC.exe
Token: SeDebugPrivilege	596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	596	WMIC.exe
Token: SeRemoteShutdownPrivilege	596	WMIC.exe
Token: SeUndockPrivilege	596	WMIC.exe
Token: SeManageVolumePrivilege	596	WMIC.exe
Token: 33	596	WMIC.exe
Token: 34	596	WMIC.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

pattern.exeexplorer.execmd.execmd.exe

description	pid	Process	procid_target
PID 1672 wrote to memory of 772	1672	pattern.exe	31
PID 1672 wrote to memory of 772	1672	pattern.exe	31
PID 1672 wrote to memory of 772	1672	pattern.exe	31
PID 1672 wrote to memory of 772	1672	pattern.exe	31
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 1672 wrote to memory of 1116	1672	pattern.exe	32
PID 772 wrote to memory of 784	772	explorer.exe	34
PID 772 wrote to memory of 784	772	explorer.exe	34
PID 772 wrote to memory of 784	772	explorer.exe	34
PID 772 wrote to memory of 784	772	explorer.exe	34
PID 772 wrote to memory of 1308	772	explorer.exe	38
PID 772 wrote to memory of 1308	772	explorer.exe	38
PID 772 wrote to memory of 1308	772	explorer.exe	38
PID 772 wrote to memory of 1308	772	explorer.exe	38
PID 772 wrote to memory of 972	772	explorer.exe	35
PID 772 wrote to memory of 972	772	explorer.exe	35
PID 772 wrote to memory of 972	772	explorer.exe	35
PID 772 wrote to memory of 972	772	explorer.exe	35
PID 772 wrote to memory of 1448	772	explorer.exe	39
PID 772 wrote to memory of 1448	772	explorer.exe	39
PID 772 wrote to memory of 1448	772	explorer.exe	39
PID 772 wrote to memory of 1448	772	explorer.exe	39
PID 772 wrote to memory of 1624	772	explorer.exe	41
PID 772 wrote to memory of 1624	772	explorer.exe	41
PID 772 wrote to memory of 1624	772	explorer.exe	41
PID 772 wrote to memory of 1624	772	explorer.exe	41
PID 772 wrote to memory of 560	772	explorer.exe	44
PID 772 wrote to memory of 560	772	explorer.exe	44
PID 772 wrote to memory of 560	772	explorer.exe	44
PID 772 wrote to memory of 560	772	explorer.exe	44
PID 772 wrote to memory of 1600	772	explorer.exe	45
PID 772 wrote to memory of 1600	772	explorer.exe	45
PID 772 wrote to memory of 1600	772	explorer.exe	45
PID 772 wrote to memory of 1600	772	explorer.exe	45
PID 560 wrote to memory of 596	560	cmd.exe	49
PID 560 wrote to memory of 596	560	cmd.exe	49
PID 560 wrote to memory of 596	560	cmd.exe	49
PID 560 wrote to memory of 596	560	cmd.exe	49
PID 1624 wrote to memory of 1532	1624	cmd.exe	48
PID 1624 wrote to memory of 1532	1624	cmd.exe	48
PID 1624 wrote to memory of 1532	1624	cmd.exe	48
PID 1624 wrote to memory of 1532	1624	cmd.exe	48
PID 560 wrote to memory of 828	560	cmd.exe	52
PID 560 wrote to memory of 828	560	cmd.exe	52
PID 560 wrote to memory of 828	560	cmd.exe	52
PID 560 wrote to memory of 828	560	cmd.exe	52
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54
PID 772 wrote to memory of 436	772	explorer.exe	54

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:596
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:828
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1600
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:436
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
d2c55d68212e393dea509319eb7a6c5c

SHA1
842eb0432c9c17a275d844b29761f202f02810a1

SHA256
3af48661dc474fc0cf06976fec2e5caa4a8f52d125003aac967064abf04b2217

SHA512
368b25b47a586ea35fc8c8f3a1b113f45f95c1587250c2d072fe0e79e98830efdc4ede0a618679bc0ba5cb0f5342da2f93d8f783e7745bba9a9e7446f7c4694e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
9c60dac36373b83d8f50d4ae46799533

SHA1
dd09dc5e4223ce856f9de8a70b3043ab46a0aa88

SHA256
2e6b5506aaf6c5c9438b74c081ce4ec28bdb1c8d4e57b6984bb542fa67e11e2e

SHA512
cb0324c254ab4277aaca687ee662bfc13522765988ddfc44abbb550c0aafe8ea030827e7127f5bd101ab0b0cccf44793b5989dee92efb4d44fecfced8e87c601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
2be560f2b0c680106efeb09f6f414a52

SHA1
92e8f3c51f13bd7c420386b52b9416682b420614

SHA256
7b759f744456faaf6c451c8e0fe8504462bf1553e44fe27b1f137a2b4a6fe54b

SHA512
61e47967ca630a4c5e960495ed9a825daf6893aa4b283305fa6c4722fc201e058b6faf2afd37a9351953f76da436796c467a48224cb142c3c03afa99e0b45f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
da28ee351914429fe591423854470695

SHA1
7b3e5a7a885a091f0cf4cd58eeecc7f0e10a1127

SHA256
286a9303a0206838577c3e0f7dffda4e14581fba030cb6621641c83dec515059

SHA512
9d1fa315cbf999af014128d8b5b22c661c7b60d38e0558ffdcbb7856431482d00b6515887e48332d389776e2b9029188287a33bd2cec3ee3b9a3bad5a01d5bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G2KS51P3\N8V2WKZU.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V13U08N9\AYKK1722.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\ConfirmPublish.vdw.kd8eby0.7FF-128-90D

MD5
dfc154a7c4ee42477817b4e930e33cc3

SHA1
0f62a29fcdb9f7f03fe6624daa0871e58d0c6621

SHA256
1c4570f7eff63ebc3bdd80368bf95b265025e0ef8c1b9d5c760b9ea0163d4a8f

SHA512
764b33d865320c769dec58cf47f03b9c99cf5a53a6a1145235d673bc671877078f0355f079fe1308c78f3a6a302c653cc79c9fd2b89f2908a3875692cea0e0d0

Download Submit
C:\Users\Admin\Desktop\DisableResolve.au3.kd8eby0.7FF-128-90D

MD5
1c9042f9e3af1f9fd1bb2ac56474082a

SHA1
4bc5c119dda317cafff655309fc00b7673f3f5d2

SHA256
3621d812fff0b35625d084548d9b3657348bd7508344fdec822904234caf7d5d

SHA512
1805db5559f10dc05c51706cb280b18fc51a21850f306448080c2f99347d6c3899920d930cd439e831a907d0141a816b4e164b5b94a7473c1375bfb3dfa31195

Download Submit
C:\Users\Admin\Desktop\DismountConnect.emf.kd8eby0.7FF-128-90D

MD5
698c6dda9607ef91d93bfd8276494f39

SHA1
a0a0679e73f905857dc7c6aa0c250495cca68afb

SHA256
48146245ede2a6ac308ff406cd62ed9d55520de31ae2dde4ef1c34870f987707

SHA512
da6dde3a7eac58aa96e7854c6ade412d9cb1ce081463f58ae9646e7cf344b971bff140b36e5f729def5cc59fd972188505f868d7766a1adbaacc584a78499112

Download Submit
C:\Users\Admin\Desktop\EditProtect.ocx.kd8eby0.7FF-128-90D

MD5
7c4cf352204e6a2b95c0997789071e02

SHA1
f525a93ba408fd598255b19e1aea2a8180b4cc4e

SHA256
0e90c5939d3e2fd15ff4b0c88a71e1f1c81643fb4e7c20fe1ab1f9991a1279cc

SHA512
1cd924b0d55ca7e295d2e7fd2529b409d89b4b2f48db0f006d285a39f5de0cbbf0fe413dc6689e83e8cea9307c0dc240780080394746c76b60f413c9f4dda055

Download Submit
C:\Users\Admin\Desktop\EnterClose.M2TS.kd8eby0.7FF-128-90D

MD5
99e7d93307f00fe460057673ec0a6029

SHA1
43837b9e7500780db1853a4697e8af9bbe7a1198

SHA256
d7acd5a9015dcf717a0aa9746bac8f96e57a6bccf155eb00be8686315a185d2e

SHA512
a6fe0890cee494d1d55574e4aa6663d4bd8c4a0ea1cb90d728becdfd9c4d54ccf5c87539088a0af85d121e742ce082c47b18d3994d5c5eed72ffbbe4c139ee40

Download Submit
C:\Users\Admin\Desktop\ExportGet.wmf.kd8eby0.7FF-128-90D

MD5
0fad323ae5164ef1471ff28efacbf736

SHA1
8cd092110130ea6d959bdb159723518487ef2f6c

SHA256
819f848626e4ce90bcd44b0c88c7cacad7ff1c26287fe3c1ac788b070f30e9ec

SHA512
9ff5716f1bc450418e077319e6f310a65656e4b308a94840d4f4494682889690ec7ad9bfed45534c0d925e9a3a99914ddd2a8f59ad6852c062f2ff4f54f389ff

Download Submit
C:\Users\Admin\Desktop\FormatRevoke.bin.kd8eby0.7FF-128-90D

MD5
4e53a526378f46c326ab9ddaee7f645d

SHA1
29c9249631b962b871ea4f62459977de43b409b3

SHA256
63cc74b694955a21e9b6ea6192fa45baefbc38aa1016c51ab27776871ee5ace1

SHA512
5b672f76ea328eddb01550877341ea9f4676a17ddababb3a40a2e80d52797a1350bbcbe069db24f8c73ed7e73678047bf2f95660bf5dddce265649f4445ad267

Download Submit
C:\Users\Admin\Desktop\GrantShow.vsx.kd8eby0.7FF-128-90D

MD5
8ba9d9517d267f17fc0d5279cfacb2eb

SHA1
2bd49b75041ca8659dcadadd7622bb9ddcc33ff2

SHA256
0bde636075f84faeec53b13c311d3766b6a2d37733ded0cf52f05490f7ec281c

SHA512
3a8283b29c8749455a31790aeaaff8f28572d777c85a9d28b46d717f600c4f9aed06099361df6667a100a35f1fb505bc87171174816d2ce2914ad495e47bc510

Download Submit
C:\Users\Admin\Desktop\ImportReceive.ppt.kd8eby0.7FF-128-90D

MD5
a775bcb3ce6734ffe8727fce7f5a857b

SHA1
adae959b1c32986aa86ec034d128c876dff56be4

SHA256
c94370eab33c1594f9fc2d48eaeb1cbfcc537ae0f17dcfe61fe52c722d831b0d

SHA512
0d3bde01e468eb014cf8263e113bc4dc119cae780ff6ccdb8e252ca9f71439349ca16acb70e48a91fad90a777a228712b1cdd62b9d6dd8e431b724a47af35968

Download Submit
C:\Users\Admin\Desktop\InvokeResume.ppsm.kd8eby0.7FF-128-90D

MD5
eea595a8a4b92e7f6560525d1118c94d

SHA1
18e39b338ab7e3d5eacce5957fab0460bcad98fa

SHA256
bc14f36655085d9a78c39a8a4112be128b0645bb2b741ab837aba542d0e5b5b2

SHA512
512f45d81de2e90ec9fcdee6c3a6cfaa3db3b4c2e01f56ee04069c9b4ec1c4813d61665f6944079c5acbdcb3a36e042107a3a3e5d780b14e3829c08ae7aebcb0

Download Submit
C:\Users\Admin\Desktop\JoinReceive.rm.kd8eby0.7FF-128-90D

MD5
af08a0072a0d4d8ee823d1d3716ff8b4

SHA1
39d4b6b498af826d8b4ca2d9d5fd20fd17756e57

SHA256
943a5d5f755fcac5231716c0f77c4109ce6043b3a42192ad2bbd07e946b47e97

SHA512
9d2c9176dc8c39fa477d19a507cdcc033ac64283461804a906f4484b07cf2e5bd20350746c4c9194ed8cea67bbf716d2593079f6ea46c79b44c59049b44949b3

Download Submit
C:\Users\Admin\Desktop\JoinSave.DVR-MS.kd8eby0.7FF-128-90D

MD5
93cc51323e53d2afbfb37d1e0c8b9b73

SHA1
b11e4901945950e5543839155f1517a09c65ffdf

SHA256
ede5e51edec0632e7f21f1f7144f6cc766955079f17eff40a50a4a28553ecd46

SHA512
70515c158c246b4942a1ad03b450fec85f639d388a544f3cf0877e5bfadb21a38850b8f0f096c4e71692012671de762328afb6bc2785536aac2a43768dbb2a48

Download Submit
C:\Users\Admin\Desktop\LockAssert.vsdx.kd8eby0.7FF-128-90D

MD5
400413c514a9eb1ce8a07f9bdb751905

SHA1
1bc91d1d2a845813c893239072aa8d7e284ab908

SHA256
80a46f9edc3511ef62b503a229d54765c3807ba2d971a08f59a61554bc0dbb1a

SHA512
5d681ef0f51f3ed4fb94b56fa423818d38345e9082440ecaa4847b2f6819cda217c1efc4b9c96d0f8473ca1e1fc9eec37733550e4860234803d8695b86745a9e

Download Submit
C:\Users\Admin\Desktop\OutClear.7z.kd8eby0.7FF-128-90D

MD5
09f30acecbab7cfcd4778a5d8029dce9

SHA1
5a423e61132d85370fa7d03ba242a31bb10aee6f

SHA256
624886b6badc738b15578e6ec750e64b5a4d71307ed914754f58708efa0088c6

SHA512
e1e6a68be8ccb0b41c5ce055cd5cc25abb48b1930a5fa2f6de2c2cdd473568b44b99fb23ec91bad9642e4c500df69be417ab1ad90d9600bf9de8ce9bf9d713b6

Download Submit
C:\Users\Admin\Desktop\PushCheckpoint.docx.kd8eby0.7FF-128-90D

MD5
168aafded48bbc5a37d4bc06e0a9c9dc

SHA1
b5d84e3965a06a90abf26906533ceaa6a036d996

SHA256
c98e51efff1237a25ed21f4467790295156f8ea717a84c54b305c9a5d248d3b2

SHA512
c98224477dd876b2576935cfb8e0f512cd8f4cf06912e73fcd0424c99aa55991002d98989cab031693a41e9d40a8cdb62a09752963d45466ec25694c162a08aa

Download Submit
C:\Users\Admin\Desktop\ResetFormat.rtf.kd8eby0.7FF-128-90D

MD5
a33aa63d296e0fcadb19ba008f5def3b

SHA1
d7e7b9069561f2bf503ef4fefa7dad469e8fbb01

SHA256
ef250f87b56e6b33225ed3b3e396788aa3c2a55b2d5a57718ea263b4ba0ca424

SHA512
5f53fef924b950f2a0d5af5727d0e8cf0cc9ee702b910820e7eeeb5f18d51a154bc7ca4e83a5274f4d569ac916ab1a316aec1619b66ec082f176e34ac5b4898a

Download Submit
C:\Users\Admin\Desktop\ResetGroup.eprtx.kd8eby0.7FF-128-90D

MD5
233d956704d0d9c6d678ac1a8a70ad96

SHA1
de67227f72e2bc1103bcd5807f9679f4d3e381c9

SHA256
c1ad59b3c2499278b82503517eccb928da3d8486e79acfac6e9f7fac70bd9afa

SHA512
c1e69cc511e0e8af6a5697fd31e448d99d6a5a6357ff0f1c140c16e79eed8d6b49b3991530d8dbf60f57434c2f5351c4d1d416ead3b94968cb964ac09819861b

Download Submit
C:\Users\Admin\Desktop\ResizeResolve.xls.kd8eby0.7FF-128-90D

MD5
3a3f7a69e0e1e353781eda0008ef223d

SHA1
a167624331aae8ef46698e96191138ff73e9fea7

SHA256
c58d083b9e2eab0e9fe4749a077ed2769a157a1e882ee807f167d2e86eb2025f

SHA512
6ca17716c77cd710b6dae1902ec8939f0aed626fbf04d6a3f9c6679efc983baee8266029f6bc0594c3b7f0d9989f60360da7a1d8ed8dca6171588562650f48de

Download Submit
C:\Users\Admin\Desktop\RestoreInvoke.wmv.kd8eby0.7FF-128-90D

MD5
f83daaaf2d6b855f1efe08f00ea01f1e

SHA1
fea63544f620e9b2f09b41b25b7028b187d9f642

SHA256
c0e7dd5587fcb5f94a2126b5006a4762d3a983e2690120afdc2b905411a8e972

SHA512
8d09f1bd0e673974f3e213136e8205dfcedfb69232595921ff4632760e77c4cb8982a18d078de9ae273fd8a08ddfd2d94555ab5d9b0961efeb78f5ca5f412827

Download Submit
C:\Users\Admin\Desktop\ResumeSet.wmv.kd8eby0.7FF-128-90D

MD5
eba0f911d71e9d0209a127be8a70443d

SHA1
f71df486037897664db138b3c0104aeadbea348c

SHA256
6f03ed2048b6fb77644399a1fed85887b86bad008ab598050dca7a80c84f91f2

SHA512
b37e1067b65658f149a78f22e856695c11e1a3100fba9971fb14da5988763ddb82793e8e3a72301fb29497d5eea2761deebfa115a8790e1f284b63220edc4cc6

Download Submit
C:\Users\Admin\Desktop\UnprotectMeasure.xltx.kd8eby0.7FF-128-90D

MD5
8d7b95ac96f5efa01cac2c21ea9a755f

SHA1
681b4904cf5f2446ea34dd8480afe7bcc0916c31

SHA256
2da0fbd924d6aa73421779aa871c38270ddbee37ee0ac6ff32b31fa3d28d548f

SHA512
95b43367d8d084e67ce604978b7d3b6f4699c20b0dbdb5f64b45fd254890e2d7f60cc4da535625bd0baa7da73a615d678328b7592f39990aba96c9e479597e1d

Download Submit
C:\Users\Admin\Desktop\UnprotectRequest.avi.kd8eby0.7FF-128-90D

MD5
272b426ae709962b230c19c0d049d722

SHA1
7f2076f2f2051386f7958ebe5380a164e7470d4f

SHA256
4b9927bafafe87980f4171f1fcb219a8dbdafc698318a0c7e83159c4cf13c96d

SHA512
bdf4624f22964d23b14bef82eadd3cb87f07d9f9dba32e71481aacc8ab126dc4aa95e029c3d3d7acbe7a62b376fa5a00d84e2809e063cbac8729c77ae25f9ddc

Download Submit
C:\Users\Admin\Desktop\UpdateWatch.mid.kd8eby0.7FF-128-90D

MD5
edebe29ddad553f5cd90fe51c918ae3b

SHA1
c18aee55920d4327b214a6551aa3181f2812978d

SHA256
77b3eab9a43d618f9ab955a2067cb0a420baf6396f411338901dec5bfcbc1ab0

SHA512
226ee58d68f480678b8656b125cf1bdc48befcb1832c25b56a38c1521ffe8bb0b7fbae3d4d58f4c59742c2dc6c1f5cfe2c3ea7147ae8a6687d08991befa157ac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
memory/436-118-0x0000000000000000-mapping.dmp

Download
memory/560-86-0x0000000000000000-mapping.dmp

Download
memory/596-90-0x0000000000000000-mapping.dmp

Download
memory/772-71-0x0000000001FD0000-0x0000000002115000-memory.dmp

Filesize
1.3MB

Download
memory/772-64-0x0000000000000000-mapping.dmp

Download
memory/784-81-0x0000000000000000-mapping.dmp

Download
memory/828-93-0x0000000000000000-mapping.dmp

Download
memory/972-83-0x0000000000000000-mapping.dmp

Download
memory/1116-66-0x0000000000000000-mapping.dmp

Download
memory/1116-70-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1308-82-0x0000000000000000-mapping.dmp

Download
memory/1448-84-0x0000000000000000-mapping.dmp

Download
memory/1532-91-0x0000000000000000-mapping.dmp

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1600-94-0x0000000001E40000-0x0000000001F85000-memory.dmp

Filesize
1.3MB

Download
memory/1624-85-0x0000000000000000-mapping.dmp

Download
memory/1672-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1672-62-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1672-61-0x0000000000560000-0x00000000006A5000-memory.dmp

Filesize
1.3MB

Download